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Detailed Action 
Response to Arguments 

Applicant's arguments with respect to claims 1-41 have been considered but are moot in 
view of the new ground(s) of rejection. 



Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

2. Claims 1 -22, 25, 27-34, 36, 40-41 , 43-46 are rejected under 35 

U.S.C. 103(a) as being unpatentable over Khidekel (US PGP No. 20010027527) 
and further in view of Ballantyne (US Patent No. 5867821). 
As per claims 1,9, 16, 29 and 40, Khidekel teaches: 

A method for signing access operations to electronic data, comprising: 

performing a security check upon each access operation in order to ascertain the identity of a 
user; 

[see paragraph 0029] "The user can be authenticated based on the user's credentials" 
[see paragraph 35, wherein upon receiving the token, the secure server validates the 
token by comparing the difference between the current time and the authentication time 
to the predefined threshold to make sure a duration of time has not expired. It is clear 
from this that each access operation must be logged and a security check performed 
because if each access is not logged, there would be an error in the duration of time 
since the last access operation that was not logged. 

assigning a user signature, identifying the user, on the basis of the performed security check 
without being viewable by the user; 



[see paragraph 0034] "Token" 
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assigning a t least one role signature, each role signature being assignable to a plurality of users, 
on the basis of the performed security check without being viewable by the user; and 

[see paragraph 0039] ". . . business rules that indicate which users are authorized to take 
various types of actions. . . " 

signing each access operation to electronic data by specifying the user signature and the role 
signature; and 

[see paragraph 0034-0035] 

recording each access operation and the user signature and the at least one role signature 
specified for each access operation. 

[see above explanation for why each access operation is logged.] 

The Khidekel reference is mute in teaching the following limitations: 

wherein each access operation is recorded in an audit memory, 

the user signature is recorded in the audit memory, and 

the at least one role signature is recorded in the audit memory. 

For the above limitations, examiner relies upon the Ballantyne reference. Ballantyne teaches at 
col. 8, lines 1-64, auditing user accesses to all the archived electronic health records contained 
in the master library (ML). Examiner views the identification number as analogous to the 
claimed user signature and the personal electronic profile as containing information analogous 
to the claimed role signature. Ballantyne teaches logging of all user actions as well as recording 
user accesses by ID numbers and accompanying user profiles. It would have been obvious to 
one of ordinary skill in the art to modify the Khidekel reference to include archiving of access 
operations in an audit memory as taught by Ballantyne in order to automate data collection and 
reduce manual collection and storage of user information. This in turn would create a more 
efficient and effective system. 



As per claims 2, 10, and 30, Khidekel teaches: 

The method as claimed in claim 1 , wherein the security check involves biometric data from the 
user being ascertained. 

[see paragraph 0029] 
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As per claims 3, 11, 17, and 31, Khidekel teaches: 

The method as claimed in claim 1 , wherein the security check involves reading at least one of an 
electronic and mechanical key. 

[see paragraph 0029, "smartcard"] 

As per claims 4, 12, 18, 19, 25, and 32, Khidekel teaches: 

The method as claimed in claim 1 , wherein the user signature to be assigned is ascertainable on 
the basis of the data ascertained in the security check, by checking a user signature memory. 

[see paragraph 0026, "database 24'] 

As per claims 5, 13, 20, 21, 27, and 33, Khidekel teaches: 

The method as claimed in claim 1 , wherein the role signature to be assigned is ascertainable on 
the basis of the data ascertained in the security check, by checking a role signature memory. 

[see paragraph 0026, "database 24" 

As per claims 6, 14, 22, 28, 34, Khidekel teaches: 

The method as claimed in claim 4, wherein the user signature memory is checked using a data 
telecommunication link. 

[see paragraph 0028, "communications can be sent over a secure socket layer"] 

As per claim 7, Khidekel teaches: 

The method as claimed in claim 1 , wherein one user is assignable a plurality of role signatures 
simultaneously. 

[see paragraph 0039, wherein specified physicians may be permitted to view patient 
records as well as modify them while administrative staff may only view patient records] 

As per claims 8, 15, and 36, Khidekel teaches: 

The method as claimed in claim 1 , wherein the data are medically relevant, wherein the users are 
medical specialist personnel, and wherein the roles are formed in line with the workgroups within 
the medical specialist personnel. 

[see paragraph 0025] 
As per claim 41, Khidekel teaches: 

The method as claimed in claim 40, wherein an access operation can be reconstructed by 
specifying at least one of the user's former and current role signatures. 

[see paragraph 41, resubmit credentials for re-authentication. 
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As per claims 43-46, Ballantyne teaches: 

The method as claimed in claim 1 , wherein the user signature memory and the role signature 
memory are maintained independently from the audit memory. 

[see col. 15, lines 40-67, and col. 16, lines 1-13] 
CONCLUSION 

3. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS 
from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the 
date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will the statutory 
period for reply expire later than SIX MONTHS from the date of this final action. 

POINTS OF CONTACT 

Any response to this Office Action should be faxed to (571 ) 273-8300 or mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulaney Street 
Alexandria, VA 22314 
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should be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner 
can normally be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

/Daniel L. Hoang/ 
Examiner, Art Unit 2436 



/Nasser G Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



